I would like to disable the shutdown command for all users, even root, on an Ubuntu Server installation.

The reason I want to do this is to ensure that I don't get into the habit of shutting down the machine in this way, as I SSH into a lot of production machines at the same time as this one, and I don't want to accidentally shutdown one of the other machines by typing the command into the wrong window.

The server I want do disable shutdown on only runs inside VirtualBox on my Windows desktop, and I only use it for local testing so it is not a problem if I can't shut it down from the command line.

I have already mitigated the problem a bit by ensuring I have a different password on the VirtualBox image, but obviously if I am within the sudo 'window' on one of the production machines, I could still accidentally shut it down.

My questions are:

How do I disable the shutdown command?

If I do disable the shutdown command, are there any consequences that I should be made aware of? Most specifically, will it disable support for ACPI shutdown that is the equivalent of pressing the power button on a physical machine? Could it affect other generic applications?

For information, I just use this VirtualBox image for trying out shell scripts, running Tomcat and Java, and that kind of thing.

In my opinion changing such a core behaviour of the system to prevent human error is a bad idea. It is likely to bring more issues in the long term than it resolves. If you keep a different user password for every system you minimize the risk (since it requires sudo). You should develop good habits which do not depend on a particular system change, much more serious disasters are frequently caused with rm/cp/chmod which are used much more frequently, and I guess you are not going to disable those.
–
João PintoDec 13 '10 at 10:20

While I do agree with that, and it is definitely the Right Way to do things, this is just to avoid that one, tiny situation wrt an unofficial Ubuntu image I have on my desktop in order to allow me to try things out without the risk of b0rking my employer's machines :)
–
RichDec 13 '10 at 12:03

6 Answers
6

If you usually run the command as sudo shutdown, rather than sudo /sbin/shutdown, then you can just setup a global shell alias for "shutdown" to just echo a message to the terminal instead. The real executable will still be there for all other purposes.

This sounds like the best way to go if you're just trying to interrupt a habit.
–
ændrükDec 15 '10 at 18:15

But note that the obvious way to set up a shell alias (alias shutdown=sl) won't have any effect on the arguments to sudo. In zsh you can define aliases that do match against arguments, but I think not in bash. You could alias sudo to a shell script that refuses to do anything if the first argument is shutdown.
–
poolieMar 23 '11 at 0:56

A much better approach to this problem is to install the molly-guard program on the boxes you don't want to shutdown, rather than trying to train yourself to never run shutdown.

molly-guard attempts to prevent you from accidentally shutting down or rebooting machines. It does this by injecting a couple of checks before the existing commands: halt, reboot, shutdown, and poweroff.

The typical configuration is that it asks you to type the hostname of the machine to confirm you are really on the right one.

If you really want to disable shutdown (and this is such a bizarre idea), just do

A great idea but sadly not possible as I don't have enough control over the systems to be able to install my own software. Sadly I do have enough control to be able to shut them down!
–
RichDec 14 '10 at 9:21

1

Are you serious? That is very strange. If you have sudo access to run shutdown only, perhaps you could persuade people to change sudo to emit a big prompt, or to always require a password. If there is a risk of you accidentally shutting them down, it would be in the administrators interests to install molly-guard.
–
poolieDec 14 '10 at 22:37

To disable shutdown command just make the binary non executable i.e sudo chmod a-x /sbin/shutdown
Also i dont think that it will effect any other shutdown method because as the man entry for shutdown says

shutdown sends a request to the init
daemon to bring the system down into
the appropriate runlevel

so any other command/script can do this even after disabling shutdown command for example I can still shutdown my system using shutdown from GNOME menu. Also you can still reboot your computer from command line using reboot command

The shutdown command is in /sbin/shutdown. You can disable it by doing this:

sudo mv /sbin/shutdown /sbin/really-do-shutdown

But: This means that almost none of the usual methods of shutting down the system will work any longer. Shutting down out of gnome on my test machine for this answer causes it to just log you out and throw you back to GDM.

If you want to shut down your system afterwards, you have to do

sudo init 0

"Disabling" shutdown will affect every application that uses the command for anything. Since init 0 is not the recommended way of shutting down a system, all programs that have to shut down the system use shutdown for it, which won't work any more.

Applications can also throw exceptions due to the missing file, or the file being not executable, potentially causing them to crash even though a shutdown isn't necessary. This is an edge-case that you can work around by moving some binary, ideally executable file (not a shell script - that won't work) in it's place. For example:

sudo cp /bin/ps /sbin/shutdown

This is after you've moved the original out of the way safely.

Now, all this is quite hacky, and I recommend against it, for the reasons outlined in João Pinto's comment. But I won't stop you from doing it. :-)

Don't only make a back up of /sbin/shutdown, also, have a recovery plan in place in case it causes any trouble. Don't do this on a server that you can't get to, for example. And test your recovery plan beforehand, assuming that the system doesn't boot at all (it will boot of course - I've tested it - but please be on the safe side).

I think it should be take a other solution, Servers should have a ssh policy
to disable shutdown and init 0 over ssh, or there must be a special dialog displayed
on console like at Windows to enter the "why" and special "shutdown password". To this the powerbutton should be password protected on Server use.

At moment we use a "physical key switch = 4Euros" instead of a Push Button.